Databases Reference
In-Depth Information
Determining concurrency
Determining the number of users currently using a system is difficult, particularly if
the log does not contain events for both the beginning and end of a transaction. With
web server logs in particular, it is not quite possible to know when a user has left a
site. Let's investigate a couple of strategies for answering this question.
Using transaction with concurrency
If the question you are trying to answer is "how many transactions were happening
at a time?", you can use
transaction
to combine related events and calculate
the duration of each transaction. We will then use the
concurrency
command
to increase a counter when the events start, and decrease when the time has
expired for each transaction. Let's start with our searches from the previous section:
sourcetype="impl_splunk_web"
| transaction maxpause=5m uid
This will return a transaction for every
uid
, assuming that if no requests were
made for five minutes, the session is complete. This provides results as shown
in the following screenshot:
By simply adding the
concurrency
command, we can determine the overlap of these
transactions, and find out how many transactions were occurring at a time. Let's also
add the
table
and
sort
commands to create a table:
sourcetype="impl_splunk_web"
| transaction maxpause=5m uid
Search WWH ::
Custom Search